• United States



Contributing Writer

CSO50 2016 winners announced

Mar 10, 201639 mins
Application SecurityComplianceData and Information Security

cso50 winners
Credit: Thinkstock

The CSO50recognizes 50 security projects, taken on by 45 organizations, that demonstrate outstanding thought leadership and business value. These are their stories.

[ HIGHLIGHTED CSO50 AWARDEES: Century Health’s security rearchitecture staves off phishing scam | UN development program provides cybersecurity assistance ]

ADP Integrated Application Security Testing (IAST)

ADP was looking for a way to discover vulnerabilities in web applications much earlier in its software delivery lifecycle. Many times significant architectural flaws are discovered at the last minute because penetration testing is the last thing to happen before a project is released. This created significant headaches and delays for the business.

To increase the speed of its software development release cycles and reduce application vulnerabilities, ADP added automated application security testing technology to its quality assurance testing processes. This technology provides continual analysis of application code running Java or .NET and finds vulnerabilities in real-time.

Development teams are now able to perform minor fixes and patch releases without direct interaction from the security testing team. This decreases the backlog of requested security assessments and reduces the lead time needed to test major production releases.

The project initially covered the top 10 percent of its application base and is expanding to 25 percent within the first year of service.


When AECOM acquired URS Corp. in October 2014, the company doubled in size and created the largest integration in its industry’s history. AECOM, a global engineering, design and construction company, now consists of 100,000 employees in 150 countries. The acquisition meant consolidating six separate divisional information security functions, which had previously operated individually, into one global enterprise team with no divisional, business unit or regional boundaries.

The integration of AECOM and URS meant a new organizational structure, new teams, standing up a new Global SOC, consolidated technology and toolsets, and new ways of working in a globally distributed virtual environment.

A consolidated enterprise security team has helped it align with and gain support from other functional groups within the organization such as Legal, ERM, resilience groups, ethics and compliance and communications. It has also reduced phishing fail rate from 29 percent to 7 percent and successfully addressed 3,000 security incidents in six months.

Aetna External Security Portal

As cyber security threats continue to rise, more regulators and customers want assurance that health records are protected. Each month, Aetna would receive about 500 requests from customers and examiners asking for information about Aetna’s security program. Requests would come in through multiple channels, requiring internal security staff to gather documents and prepare the appropriate responses. The challenge was to quickly and easily disseminate this information.

Aetna developed an external security portal that provides a secure and centralized repository to Aetna’s IT security practices. With this new tool, Aetna can share pertinent information that helps customers evaluate the maturity of its security controls, and clients and assessors can access the information they need. Since the program launched in 2014, the number of external and internal users per month continues to rise, and Aetna has seen a significant reduction of individual requests.

Aflac Log Management to Security Intelligence

In early 2014, what began as a process for Aflac to expand its log management platform ultimately had another welcome benefit. It expanded Aflac’s ability to assess and correlate data, and track events for investigations. It also ensured compliance with the Payment Card Industry and any regulation requiring log archival and analysis capabilities.

Aflac’s security team worked with its IT partners to identify and implement a new Security Information and Event Management (SIEM) platform. The SIEM enabled near real-time notification and response to events, which improved the response times to business units.

The project was first implemented in early 2014 and began consolidating logs from 300 log sources. Throughout 2014, more than 9,000 logs were added. A balance was achieved in the amount of data retained and the ability to query efficiently. Most queries can now be performed in minutes versus days.

Aflac Enhanced Vulnerability Scanning

Aflac had vulnerability scanning capabilities in place in October 2014, but it wanted more. The aim was to evolve vulnerability scanning from a technical platform capability to an integrated service and process operation.

Aflac migrated its vulnerability scanning from an appliance with limited capacity to a managed service focused on standards compliance, full-scale asset discovery and comprehensive network scanning. Managing vulnerability scanning as a service instead of an appliance has allowed Aflac to reallocate internal resources to focus on remediation rather than administration of a scanning tool.

Output from the scanning tool is fed directly into Aflac’s governance and compliance tracking system where items are tracked not only as technical risks, but also as issues of security policy exception and enforcement. Aflac has been able to remediate 100 percent of the vulnerabilities identified, a 10-fold increasing since the beginning of 2015.

Amity Education Group National Cyber Alert System

Cyber threats are one of the biggest issues facing India today. While nearly every organization has deployed some security solution to safeguard their networks, very few are doing analysis of attacks or malware to understand who is targeting them, why or how. The private, non-profit Amity Education Group wanted to create and provide this information on a national level.

The Amity cyber security team developed an “Advanced Threat Protection CCFIS Sensor,” a malware and targeted attack-capturing appliance that deflects the attack and captures malware and targeted attacks. The appliance performs log analysis and reverse engineering of the captured malware, and then provides an intelligence report with details such as the attacker’s IP, domain, date and time, malicious file extensions, code language and encryption level. The information can be used to further implement policies to strengthen the security of the network.

The sensors have been deployed at 11 National and International Amity locations so far.

Amkor Technology Governance, Risk and Compliance — Defense scores points and Offense protects against risk

Amkor Technology’s internal and external audits used to be time-consuming and resource intensive, with multiple repositories and no single source of truth. While the GRC environment had been in place since the first SAP implementation, the tool needed a facelift. With the new implementation of SAP GRC latest version, the tool has morphed into a mature product, including additional features and functionalities that impact the bottom line.

The scope of its GRC project included the full SAP landscape, the ERP central component, supplier relationship management, advanced planning and optimization, business intelligence, business objects BI, and process integration.

Automated user provisioning and audit review reduced headcount requirements and saved $150,000. Amkor also implemented password self-service for users to reset passwords via a two-factor authentication process via email and Active Directory. Manual resets have been reduced by 80 percent, saving $30,000. Customization of rule sets has enabled Amkor to retire a COTS product, saving the company $35,000 annually.

Atlantic Health System Situational Awareness with AHS SitStat

When it comes to serious security incidents, Atlantic Health System has developed the mantra that “one is too many.” To keep safe its 9.5 million square feet of facilities and 14,000 employees, AHS has adapted the New York Police Department’s COMSTAT solution for its healthcare system.

With AHS SitStat, all security, emergency management, fire and safety calls for service are entered into the CAD system, which allows AHS to track the use of resources and incidents impacting our sites. Security officers complete electronic incident reports detailing all events occurring during an incident. All sites can enter, track, trend and analyze this data. Data is captured at the point of service by the site security command centers and responding officers directly entering it electronically into CAD/RMS. Critical incidents are immediately communicated in a briefing report for all sites.

Statistics and anecdotal evidence has shown this to be effective in sharing intelligence, preventing and mitigating adverse events and promoting an efficient use of limited resources.

Blue Cross Blue Shield of Michigan Supplier Risk Management Program

Many high-profile data breaches have been traced to weaknesses in third-party vendor or contractor security. Many suppliers to BCBSM and Blue Care Network of Michigan do not target the healthcare industry as a primary market, so they were not familiar with HIPAA and other regulatory agency requirements.

The Supplier Risk Management program gauges each supplier’s capability to protect BCBSM/BCN’s sensitive information exchanged and the computing assets used.

Through a SharePoint system, a common repository of information was made available to vendor assessment specialists, risk analysts, business relationship managers and purchasing individuals. This data repository was used to collect and share questionnaire results and supporting documentation, identify risks, store risk resolution documentation and risk deposition.

The program tracks remediation plans and helps execute on-site visits or desktop assessments to ensure security measures are implemented. It also helps BCBSM monitor, reassess and decommissioning suppliers per their contractual agreement, and to employ a quantitative, risk-based approach to supplier ranking and reporting metrics.

Boston University Enterprisewide Multi-factor Authentication

In January 2014, several senior faculty members at Boston University checked their bank accounts and found that their paycheck had not been deposited. They reported the issue and investigation revealed that this was a virtual, but very real heist. Their direct deposit information had been changed and their money had been re-routed into other peoples’ bank accounts. The real problem was compromised credentials via phishing attack that began two months earlier.

The solution was multi-factor authentication. BU engaged top talent to manage, architect, build and deploy the solution. The team selected a flexible approach that allowed them to solve every use case thrown at them. A proof of concept was completed in three days and was ready for production deployment by the end of one month. Several more months of communication later, the technology was up and running. About 1,168 accounts were added during the opt-in period. Today, BU protects 15,000 accounts with MFA.

CA Technologies OneAccess

Like many organizations, CA Technologies’ internal IT organization was facing an increasing demand for BYOD and tablet/smartphone access. The challenge was to deliver a consumer-grade, personalized user experience that improves end-user satisfaction and productivity, as well as provide personalized security via single-login access to applications on mobile devices.

The challenge pushed IT to develop OneAccess, a solution that integrates several different products, namely CA SSO and CA API Gateway, to provide a mobile-based single sign-on to applications (internal and third party) that were not native to the mobile world. Users now have a secure way to access a range of applications on their mobile device or tablet whether they are in the office, traveling or at home.

Today, 3,637 users have the application installed on their mobile devices, with one-click access to 15 enterprise applications with a single log in.

City of Houston Cybersecurity Control Implementation Interface

Many organizations within the Greater Houston Metropolitan Region struggle with limited budgets and staffing, especially in cybersecurity. The City of Houston wanted to create a repeatable process that other organizations in the region could could use based on its newly created NIST Cybersecurity Framework, as well as share its lessons learned.

The city initially planned to provide a set of documents they would be able to re-use, but quickly realized the amount of information would likely be overwhelming. Instead, with assistance funding from DHS through Urban Area Security Initiative Grants, the city was able to create a more user-friendly tool.

The Cybersecurity Control Implementation Interface is a web-based collection of tools that provides access to the policy and procedure boilerplates, interactive utilities, FAQs, a step-by-step road map and best practices for the implementation of the NIST Cybersecurity Framework. There are currently 11 registered users of the tool with over 854 unique visitors to the website.

Clorox Project Accio – Brita Replenishment Program Joins the “Internet of Things”

Clorox’s Brita water filtration products require timely filter replacement to ensure consumers have fresh filtered water. The Brita team wanted to help consumers easily and automatically order replacement filters for Brita products.

In March 2015, Clorox joined with Amazon’s new Dash Replenishment Services to offer automated reordering of Brita filters to consumers. Recognizing the security risks of connecting household devices to the Internet, Clorox created a program to integrate security controls to protect consumer confidentiality and control integrity of DRS-placed orders.

One challenge was controlling undesired ordering, such as a child unwittingly ordering multiple filters, because order data integrity is critical to consumer acceptance. Another challenge was gaining consumer confidence by protecting home networks against unauthorized access and malicious software.  

Clorox leveraged Amazon’s authentication and payment systems, customer service, and their robust fulfillment network. As part of the project, Clorox was able to meet its risk and security criteria, map device attributes with standard threat databases and comply with cloud security standards.

Comcast Advanced Attack Remediation and Mitigation

Internet access and reliable publicly routable network transport are critical to the health of the U.S. and global economy and even national defense. As demand for high-speed and high-availability networks increases, so does the cyber-threat landscape. Comcast recognized the growing threat and embarked on an aggressive effort to more effectively protect its infrastructure, services and consumers from network borne attacks.

The AARM project succeeded in meeting that objective by giving Comcast the ability to detect, track and respond to network-based threats. The AARM solution, built from a mix of technologies from several vendors. targeted IPv4 and IPv6 support of all lines of business and all service delivery network infrastructure. Systems are tied together within a customized, internally develop command and control framework. Pillars of the solution include network IOS, Netflow, anomaly detection and network-based mitigation technologies.

Comcast now identifies over 3,000 unique DDoS or DoS attacks per day, up from 1,300 before AARM.

Comcast Virtualization of the SIEM

Comcast’s security information and event management system (SIEM) needed to keep up with the company’s rapid growth while remaining flexible to adapt to the unique requirements of each business unit. This new system had to be capable of ingesting a variety of vendor and solutions log quickly, while providing seamless failover with no data loss. The goal was to virtualize the environment by building a SIEM cloud or SaaS-like environment.

Comcast chose to keep its HP ArchSight software and add HP 2par storage arrays, HP ProLiant servers, Redhat Linux OS and a VMware virtualization platform to build a scalable SIEM platform. The platform can ingest 400,000 events per second compared to the previous 40,000. It provides high availability, near real-time intra-datacenter failover and fast inter-datacenter failover with no data loss. The platform scales horizontally with no upper limits and can provision new business units within minutes. It also lets the incident response team work from a single screen.

Comcast Cable Comcast 360° Vendor Risk Assurance Program

Comcast Cable has over 70,000 vendors with contractual access to its critical systems and applications. With such a large number of vendor accounts, the company must keep up with increasing security and business risks.

For the first time in the media and entertainment industry, Comcast Cable has implemented a technology control that proactively communicates to its vendors the risks and activities that are associated with Comcast. Comcast 360° Vendor Risk Assurance Program provides a comprehensive view of vendor risk for information and infrastructure security, national governance, risk and compliance leadership and security operations center teams. The program provides a defense against targeted attacks that leverage the vendor as a threat vector. With this program in place, Comcast has increased its visibility and control across its vendor ecosystem, maximized organizational efficiencies, improved timely responsiveness, and measurably reduced vendor-related risk by providing vendors with timely and actionable information.

Cox Communications Customer Safety Initiative

Cox Communications strives to improve the customer experience and provide a safe environment for its 4.5 million subscribers when computing on the Internet.

The Customer Safety Initiative proactively protects Cox’s broadband Internet subscribers by detecting and blocking malware infections, delivering notifications, and providing remediation.

The hybrid solution combines a commercial solution with several internally-developed systems. The CSI framework brings together tools and techniques to prevent infections, detect customers who have already been infected, prevent malware from doing harm to infected devices and remove the infection from the subscribers’ devices. The system covers all Cox business and residential subscribers, as well as critical Cox-owned infrastructure.

With CSI in place, Cox has been able to detect and alert on over 500,000 infections and assist over 300,000 subscribers with removal of these threats without increases in call volume during the first half of 2015. This is a 200 percent increase over previous years. Repeat infections dropped from 22 percent to 15 percent.

Department of Homeland Security Cyber Information Sharing and Collaboration Program

The safety of our critical services — energy, drinking water, emergency services and transportation – are a constant concern for DHS. The health of our overall economy relies on protecting these services from online threats and security incidents.

The DHS Cyber Information Sharing and Collaboration Program was developed to foster a collaborative environment for sharing threat information between industries, across the 16 critical infrastructure sectors, and with the federal government. The federal government shares cybersecurity awareness of emerging or evolving cyber threats with industry participants, holds unclassified meetings and workshops, and offers tools focused on protecting critical assets.

The program encourages its members to collaborate on their own cyber threat detection, mitigation and response efforts, as well, and to build relationships between sectors. There are currently 143 participating entities in the program, and 148 companies are awaiting validation to join CISCP.

Early Warning Services Advanced Fraud Detection Code Review Project

The nation’s largest financial institutions may be competitors, but they all share a common goal to fight fraud and exceed the highest standards for data security. Some 1,500 financial institutions use EWS for critical data exchange.

EWS embarked on the Advanced Fraud Detection Code Review Project, utilizing third-party static and dynamic analysis on every code base for each software and service component in their product suite. After testing, the results are reviewed and remediation requests are generated to fix each finding. The remediated components and products can then be used together with confidence and meet system-wide compliance.

In the process, EWS’s review team had to perform testing and security that was greater than what each financial institution required individually. It also had to remain in compliance with government requirements, cascading the benefits down to individuals and businesses.

The assessment of all in-house developed software assets at one time allowed the business to understand any issues in the current application stack, and then to properly align its roadmap for risk remediation, bug fixes, new features and staff requirements.

Fairfax County Government Next Gen Security Program for Fairfax County Government and National Capital Region

Fairfax County government in Virginia recognizes the value of social media, but detecting and stopping session-based and application-based attacks from the Internet was a growing problem. It also recognized the need to modernize its network to take advantage of virtualization and security technologies to improve service and reduce costs.

The new security program included implementing next generation firewalls that provide in-depth application layer inspection such as virus scanning, user-ID permissions, URL filtering and intrusion detection, and application control of outbound and inbound Internet traffic. The program now lets county employees safely use social media while preventing access to applications and high-risk content.

Modernizing the network also paved the way for server virtualization projects. It has reduced servers on an average ratio of 60:1 and reduced the number of network hardware. New identity and access management capabilities eliminate the need for applications and users to manage individual sets of credentials.

Freedom Mortgage Workstation Cloud Migration

When Freedom acquired First Mortgage company in July 2015, the IT department was given two weeks to give all users full access to Freedom systems. First Mortgage employees still needed access to their existing systems, and Freedom could not connect the networks directly due to existing First Mortgage security vulnerabilities. Instead, the server team came up with a solution to use Amazon-based workstations stored in the cloud configured with its secure Freedom image. First Mortgage employees loaded the Amazon client on their workstations. The solution provided employees with access to First Mortgage applications on their old system, while also giving them secure access to Freedom systems by logging into the Amazon client from the same workstation.

This also opened a new security hole. Freedom Mortgage uses RSA Authentication Manager for multi-factor authentication, which is not supported by Amazon. Freedom engineers were able to develop workaround configurations to enable the two systems to talk.

GameStop Information Security Program Transformation

Prior to 2013, GameStop’s information security program was managed by a handful of short-term security personnel with no continuity of projects. Business also suffered from IT’s “no” mentality. IT was not considered a business enabler. Layers of security tools had been implemented, but there were limited engineers to customize or enhance these tools and respond to alerts.

External threats forced the organization to re-think its strategy. The company brought in new Director of Global Information Security Robert Bernard to rebuild a better information security program. He built a new team, addressed the most critical risks and assets first, worked with various IT leaders, rebuilt the business’s confidence in IT and met compliance requirements.

In a short time, the company says he has transformed the security team from the most disliked department to a business enabler, increasing staff from five to 23 team members responsible for IT risk, security architecture, IT security operations and compliance.

Georgia-Pacific LLC Third-party Technology Risk Assessment Framework

Georgia-Pacific was faced with a snowballing of “shadow IT services” that were being procured outside the knowledge and control of the central IT organizations. These IT services introduced a myriad of new risks to the company, including technical authentication, access control management, and new legal and data privacy concerns related to data no longer residing with its network.

GP’s Third-party Technology Risk Assessment project provided a framework for assessing the risk for SaaS, IaaS, cloud and all other situations where GP data leaves its network. The framework incorporates the assessment of risk from a technology standpoint, as well as other key disciplines such as e-discovery, legal, records and information management and data privacy.

Over 250 assessments were performed within the first 12 months of implementation of the framework — more than the previous three years combined. The project helped identify duplication of services and gaps in IT services, as well as enforce security standards and mitigate significant risks.

HCSC Threat Intelligence-focused Cyber Investigative Services

The rapidly changing cyber threat landscape prompted the nation’s fourth largest health insurer to realign its cyber investigative services around real-time threat intelligence. The task was daunting as HSCS includes the large, distributed and complex IT environments of Blue Cross Blue Shield of Illinois, Texas, New Mexico, Montana and Oklahoma.

HSCS created a centralized cyber investigative service aligning its entire security operations center with dedicated staff and processes to provide actionable threat intelligence to both leadership and technical teams. A cyber threat exchange portal now provides industry specific threat information and improves the team’s ability to detect high priority threats. It also provides daily, relevant indications of compromise to technical teams so that they can update security monitoring and response capabilities.

The service has reduced the time spent investigating known, repetitive false positives and let staff focus on relevant and actionable threats. It also dramatically enhanced BCBS’s HIPAA compliance by improving its cyber investigative capabilities.

Health Net Inc. Partnering with Business in the Security Assessment Process

As part of its reform of information security processes and procedures, Health Net’s information security team wanted to make it easier to explain to the business which business IT projects could be more secure and why.

The security assessment project blended security requirements from NIST, HIPAA, SOX and others. The resulting tool and process allows the infosec team to more quickly, accurately and systematically assess projects and capabilities, and then produce factual, risk-based security recommendations.

The approach focuses first on understanding the environment, then discussing and discovering items as a team with a mutual goal of reducing or eliminating risk. Not only did the approach foster openness and reduce anxiety, project leaders say, but it also helped uncover real areas where risk could be reduced, such as excessive data retention. There are no surprises or embarrassing ‘gotcha’ type reports. Going forward, the business sees information security as partners in accomplishing its mission, rather than roadblocks to progress.

HMS Business Resilience and Assurance Program

A business continuity plan is important in case of a disaster, but other serious risks abound with a higher likelihood of occurring everyday — like privacy leaks, fraud and inaccurate data. These differing philosophies often put HMS’s business continuity and security risk management teams at odds.

HMS decided to integrate these two distinct programs to help identify potential problems before they occur, so that risk-handling activities could be planned and carried out to both keep data safe and achieve business objectives.

HMS’s Integrated Business Resilience Program is part of a comprehensive SRM program that allows a more reasoned and less emotional understanding of the universe of business risks faced by HMS. It established risk as a continuous, forward-looking process that is interwoven as part of business and technical management recovery processes. It also includes early and aggressive risk identification through collaboration and involvement of relevant stakeholders using a holistic approach. Today, the program protects the entire HMS enterprise.

Horizon Blue Cross Blue Shield Security Operations Center – Threat Intelligence Automation

Horizon Blue Cross Blue Shield of New Jersey has revolutionized the way it coordinates and processes incoming intelligence. In the past, team members would often receive pertinent intelligence indicators piecemeal and from many different sources. Many of these indicators were salient and specific to the healthcare industry, but it took time to preprocess, process and then act upon them.

The Threat Intelligence Automation project provides an integrated view of multiple threat feeds associated with past, present and emerging attacks against the healthcare industry. The project improved average incident detection and response times from hours to minutes, and improved the quality of incidents reported. The capacity for cyber security threat intelligence more than doubled, along with the range of coverage for threat intelligence sources and feeds. Over 50 indicators of compromise are now used to organize Horizon-BCBSNJ data and enable analysts to query for a specific subset of alerts related to a particular event.

INC Research Security and Privacy Training and Awareness Program

In the regulated pharmaceutical industry, companies are required to conduct annual security and privacy training to remain industry compliant. INC Research has made this arduous task much more tolerable.

The Security and Privacy Training Awareness Program takes security training beyond the annual re-reading of a variety of endless policy and SOP documents, and moves it into a more engaging, “quick hit” format with humorous content that delivers the required compliance guidance along with timely threat environment information. INC accomplishes this utilizing only existing manpower resources with no budget impact.

The program has established and maintained a heightened state of awareness and an “index of suspicion” across the company to make INC more resistant to the rapidly evolving threat environment. Program leaders say security is more top-of-mind, and the employees are engaging the information security department spontaneously and with greater regularity.

Jumeirah International Customized Solution for Access Management

Luxury hotel and resort company Jumeirah Group knows that the information traffic flow from guests, colleagues, contractors, suppliers and members of the public is endless. Until recently, Jumeirah’s access control was manual, which presented the company with many challenges.

Handling the registration of visitors is at the top of its security list. The company embarked on a customized solution for access management to speed up business procedures and increase security levels. They achieved this through the use of a new visitor management system.

The system automatically transfers textual data from personal and travel documents into its database within a few seconds using optical character recognition and artificial intelligence through a neural network. After scanning the ID, the details of an ID/passport can be obtained and populated automatically into the VMS database enabling timely recording, archiving and managing of visitor details in the hotel.

The registration process is more reliable and accurate, with added levels of security.

Kimberly-Clark Corp. 2016 Security Program

During the rollout of a $6 billion divestiture and company-wide reorganization, the Kimberly-Clark security organization took the opportunity to enhance coverage of its new cybersecurity framework and step-up security awareness to non-IT audiences.

K-C heightened its users’ security awareness with campaigns on phishing attacks, new training materials and an award-winning “Protect K-C & Me” brand. K-C’s CISO Timothy Youngblood traveled the world on roadshows to communicate awareness to international business and IT units.

On the development side, the security team enabled self-service tools, such as code scanning that allowed developers to integrate security into the software development lifecycle without slowing down the development process. The team also added rip-and-replaced endpoint security software on 40,000 machines internationally to increase antivirus detection rates.

Event response times have been reduced from weeks to hours with new tools, such as SIEM, insourced brand websites, and new incident response processes developed by K-C’s threat manager.

L’Oreal USA Digital Security Framework

L’Oreal wanted to make “digital” a catalyst for change and marketing innovation. To accomplish this, the company had to overcome the challenges of information security and protecting its customer information and its critical assets. L’Oreal America underwent a digital transformation of how it enabled the business to more accurately take a proactive approach to understanding risk.

First, the company embedded IT security resources within the business model to assist in identifying security subject matter experts that were aligned with the business needs. Second, it implemented a reference architecture and an underlying infrastructure to support a massive increase in direct-to-consumer touch points, including implementation of an API gateway and developer portal to support direct selling to consumers via mobile applications.

The security department was now considered a vested partner in enabling the business at the start of all innovative initiatives instead of waiting for the business to include security downstream in the development process.

Martin Health System Physical isolation from non-business foreign entities

Martin Health System’s perimeter defenses are constantly being probed for weaknesses from many sources located outside the continental United States. It also receives hundreds of thousands of junk or malicious emails every day. On any given day over 80 percent of inbound traffic and or probes originated outside the U.S. This posed a significant strain on the healthcare provider’s systems, as well as clogged resources that delayed legitimate traffic from getting in.

Martin Health System implemented the CheckPoint Unified Threat Management Systems, which allowed the IT team to blacklist entire countries and whitelist legitimate connections.

Since the system was implemented, foreign incoming traffic has dropped to less then 5 percent on average. Its risk and threat level of exposing patient information or a breach has also significantly dropped simply by eliminating sources that actively seek to gain unauthorized access to it.

MasterCard WorldWide MasterCard DISRUPT 2015

Companies are constantly challenged to stay steps ahead of hackers. To proactively prevent system and network data breaches, MasterCard routinely educates its employees on how to eliminate security vulnerabilities in their applications at the onset. Events like DISRUPT 2015 offer an innovative way to train its technologists on the importance of developing secure applications through an in-house hacking competition.

MasterCard DISRUPT 2015 was a challenging two-day event open to MasterCard software engineers and other technology-focused employees. Participants were challenged to “hack” into inherently insecure applications that the participants worked on to identify and exploit security vulnerabilities. Participants competed to see who could exploit the highest number of vulnerabilities. An automated scoreboard awarded credit to each participant when he or she was able to compromise a particular vulnerability.

As they worked from the perspective of a hacker, participants learned about top security vulnerabilities, and also how to prevent them by implementing secure coding practices. The challenge strengthened their knowledge and ability to defend MasterCard’s networks from a variety of persistent security threats.

MorphoTrust USA Secured driver’s license manufacturing facilities with NASPO certification           

Driver’s licenses are the most commonly used proof-of-identity document in the United States, and about 70 percent of all driver licenses and ID cards are produced using MorphoTrust issuance solutions.

To ensure the best possible security for the driver’s license issuance process, MorphoTrust set out to achieve the highest levels of certification from the North America Security Product Organization (NASPO) for all facilities where it produces these credentials – making certain that the production process and credential itself are both highly secure.

With all factories now reaching level 2 certification and two factories at level 1, MorphoTrust has the most ID production facilities in the world at this high level of ANSI/NAPSO certification. With the trust that motor vehicle agencies place in their vendors and the role they have in issuing credentials that are used to verify identities, this project plays an essential role in MorphoTrust’s ability to secure and protect the identities of the American people.

Oak Ridge National Laboratory Automating Vulnerability Management

At Oak Ridge National Laboratory, insufficiently managed systems posed the biggest cyber security risk and required significant effort to identify and remediate. Managing these vulnerabilities was almost entirely manual, and was a slow, time-consuming process. The lab also lacked integration with related systems and a reliable way to track progress or assess overall risk.

A new vulnerability management system was developed over three months by integrating multiple tools for automating vulnerability scanning, standardization, and creation of repair tickets. The automated system increases vulnerability scanning to once a day for most devices, prioritizes vulnerabilities using a risk-based approach, and automates ticketing and tracking to closure of the vulnerabilities. Vulnerability metrics can be reported by network enclave, assignment group, division, date detected, date patch was available, plugin, or common vulnerabilities and exposures.

Since the project’s completion, vulnerabilities were cut in half within the first month. The number of vulnerabilities patched increased by 255 percent, and the average remediation time was reduced by 42 percent.

PHEMI Zero Trust Data Initiative

A key barrier for enterprises in adopting big data solutions is solving privacy, security and governance concerns that come hand-in-hand with integrating data from multiple sources for analysis and insights.

Big data warehouse company PHEMI is helping companies achieve the required privacy and security with its Zero Trust Data Initiative. The initiative leverages Hadoop and Accumulo to create data exclusivity based on user attributes – which can range from those in the identity system, to user location, IP address, time of day, and data characteristics, such as personal health information, sensitive or classified information. Data is shared based on the “right to know,” or the system denies that it exists.

By embedding governance policies in the data management system and inserting privacy, data security and governance attributes into the data, the system can automatically enforce rightful access regardless of how the user or application is connected.

Quest Diagnostics Automated Next Gen IAM

After years of acquisitions, Quest Diagnostics’ access control structure had become a diverse, autonomous jumble that was neither efficient nor effective. A Security Access Management solution unified access across the board to a company with over 2,500 locations globally, starting with a web portal that automates twice-a-year re-certification, new-hire and transfer provisioning, and privileged access.

Today, SAM automation saves over 20,000 manager hours every six months over the old manual re-certification process alone. It also provides the business with an auditable platform that empowers users, while simultaneously protecting systems, devices and applications.

Security access re-certification also automates over 400,000 decisions for 53,000 employees and has uncovered 612 rogue accounts in the last review, which were terminated users with active application.

Quintiles Inc. Infosario Identity Management Solution

Quintiles Infosario is a web-based platform that promotes faster, better decisions across the drug development continuum. It enables better drug development through data, processes, systems and expertise. With such a powerful tool, identity management of its users was a top priority.

User accounts for Infosario were historically based on profile data extracted from independent source systems. This could have possibly led to security risks due to unreliable and unverified identity data being leveraged in creation of accounts and user access.

Quintiles implemented a three-staged solution for more intelligent provisioning of user accounts. The Identity vetting component compared user-supplied profile data against Quintiles enterprise systems. Identity storage provided a centralized, persistent and secure place for vetted identities. The system includes business rules and processes to maintain the currency of the identity data.

The solution has been used to improve user identity data quality for both existing users and for newly established users.

SAP SE SAP Security KPI Reporting Project

Protecting a company’s IT assets has two sides – protecting and defending against attackers both internal and external, and gaining transparency on the status of IT security processes within a company, according to SAP.

Creating transparency serves three major goals: It identifies the level of threats and security within the company; it allows companies to quickly react to issues; and it fosters buy-in from top executive and management levels by providing them with regular security reporting.

The SAP Security KPI Reporting Project is an integrated part of SAP’s top level reporting for business figures and provides information on security relevant KPIs to the executive level and executive management. By providing this transparency, executives and senior management can offer timely reaction to security-related events.

SAP’s Security KPI Reporting Project marks the first time that security reporting is fully integrated into the board reporting solution and is easily accessible for executives and top management.

SAP SE Security Configuration Compliance Validation Project

When attracting customers who want to transform their core business applications into the cloud, SAP knew that the security of service offerings is the key criteria customers are interested in. In the past, customers had the possibility to configure relevant security parameters over a huge number of systems, but in the cloud this is a completely different challenge.

SAP decided to define a holistic security framework in the cloud down to the level of technical security settings. Succeeding with this challenge requires a fully automated solution, beyond just standardization. It means checking and reporting in a fully automated and transparent manner.

SAP implemented the Security Configuration Compliance Validation for its cloud systems. The solution ensures that defined security parameters on productive systems are checked automatically on a regular basis and the identified level of compliance is made transparent to the responsible technical staff and to SAP’s cloud customers.

The University of Vermont Medical Center Vendor Remote Support Access

The University of Vermont Medical Center wanted to control high-risk vendor access to its enterprise network. It lacked a formal method for provisioning, managing or auditing vendor access.

They chose a solution that provided automated provisioning, detailed auditing, and even RDP and SSH session recording. The IS server team assisted in building the virtual servers needed to run the software and the IS networking team helped to get the external facing webpage configured. The project was implemented in about six months.

The new tool provides robust authentication, authorization and accounting controls. It mitigates several high-risks and compliance issues that once existed in its network.

Since the rollout, the medical center has seen a reduction in Active Directory accounts associated with vendors, fewer help desk calls, and satisfaction among the vendors who perform remote support using the new tool.

United States Postal Services Organizational Analytics Platform

USPS handles 40 percent of the world’s mail volume and an enormous amount of information, but it lacked a holistic view of its IT environment, which left it vulnerable to operational and security issues that could spread easily throughout the organization.

The agency’s concerns were validated as USPS suffered a breach in the fall of 2014. While security measures were in place at the time of the attack, the agency realized it was not as prepared as it needed to be. USPS deployed an enterprise software platform for log aggregation of machine data throughout its IT environment to provide better network security and operational insight.

The platform provides USPS with a single, shared view of its environment for real-time data sharing and collaboration across IT, business units and security. The platform receives data from over 1,100 sources across multiple operating systems and over 239 data types with over 134 billion events indexed.

From a security perspective, not only can USPS internally monitor for abnormalities within the network such as known malware, threat signatures and events, they can also watch for unknown threats by using statistical analysis to detect behavioral anomalies and outliers. This real-time visibility has cut the time to addressing incidents in half.

ViaSat Inc. Cyber intrusion Auto Response and Policy Management System

Public utilities know that cybersecurity is an increasing problem. As cyber attacks increase in frequency and complexity, utilities need to explore new technologies, like automated incident response, to find better and more efficient ways to respond to attacks on the network.

With funding from the Department of Energy and working closely with Southern California Edison and Duke Energy, ViaSat initiated the Cyber Intrusion Auto Response and Policy Management project, which outlines a strategic framework over the next decade to design, install, operate and maintain a resilient energy delivery system capable of surviving a cyber incident while sustaining critical functions.

Through cyber sensors and policy agents that interpret low-level cyber events CAPMS translates these events into higher-level and semantically richer ones providing actionable events for operators to act upon. The events and modeling ultimately provide an explanation of the attack and suggestions for remediation.

As a result, the CAPMS project is contributing to the advancements of defending the grid.

Viewpost Real-time SecOps

Viewpost wanted to reduce the friction, time and inefficiency associated with manually reviewing potential phishing emails or analyzing emails designed to attack the company.  

Real-Time SecOps was launched in 2015 to provide a one-click way to rip out data from emails, such as all the necessary forensic information, IP information and attachments, to determine whether it is dangerous or not, and to provide immediate data to the security operations analyst in a format that’s easy to review.

The solution requires users to point and click on the emails, and then right-click on Analyze. All the pertinent information is then populated in a special folder organized by email for the analyst to examine.

The solution is designed to work with Microsoft Outlook as its main client. Real-Time SecOps was sole sourced from Viewpost’s internal security operations team and leveraged no outside products.

Viewpost Tainted USBs

Many companies wonder if security awareness training is sinking in with employees. Viewpost went in search of proof. The company was aware of failures and intrusions that have happened at other companies when users found random USB drives and used them. The security team wanted to see if its own users would place strange USB drives they found around the office into their computer, even though they had been trained not to do so.

Led by a security architect and security analyst, and with support from the CSO and general counsel, the team engineered USB drives that when placed in a computer would execute a routine to call home and let the SecOps team know that they were used instead of being brought to the attention of security.

The “test” was carried out over three months and none of Viewpost’s 200 employees placed the drives into their computers. All USB drives were returned to security or infrastructure for scanning – reinforcing that training works.

VMware Piranha IDS

Piranha IDS is a suite of open source technologies that provides high performance network intrusion detection, prevention and monitoring. It identifies threat patterns in virtual environments and provides all-in-one network security based on open source technologies.

It also incorporates a multi-threaded Intrusion detection engine that reduces packet processing loss. The engine includes live processing of reputation lists for advanced persistent threats detection, behavioral Intrusion detection, a protocol logs slicing engine and full packet capture analysis using open source technologies.

Embedded applications are wrapped in docker containers, which are complete file system that contains everything it needs to run,making it more stable and portable for cloud environments. It is also fully automated and orchestrated from a central location using manifests.

Users of the technology have decreased packet loss by 57 percent using multithreaded technologies, increased commodity threats detected by 69 percent, increased Advanced Persistent Threats detection by 38 percent and reduced deployment times by 94 percent — from hours to minutes.

Voya Financial Service ID Remediation and Non Personal ID Solution

Voya Financial’s Service ID Remediation project provided an innovative, custom-built, non- personal ID solution to address the enterprise’s need for central management of IDs across a wide range of platforms and privileges.

Prior to Voya’s NePIS project launch, there was a lack of inventory and a standard ID classification system. Voya also had to navigate a complex and diverse environment that contained 100,000 service IDs. The team applied Service ID groups across platforms and created new priority ratings and integration, allowing for easy clean-up and centralized oversight, and reducing service ID volumes to 38,000. As a result, thousands of IDs were reclassified to the correct category of non-personal ID, disabled or deleted, and reassigned to the appropriate owner.

IDs found to be shared across applications were remediated, which reduced the risk of an outage, as well as the threat if compromised. The operational model built in support of these new tools and processes helps ensure that the environment will remain fully documented and compliant moving forward.

Voya Financial IT Key Risk Indicator Program

When the IT department reports on the state of IT to senior management, it usually relies on metrics focused on operational requirements or service-level agreements. The goal of the IT Key Risk Indicator project was to use these metrics in a way that looked not only at the strength of its operational processes, but also expanded the view of IT Risk.

As part of the project, Voya wanted to determine its collective risk appetite, so the company created an IT Risk Committee comprised of senior IT and business leaders and chaired by the chief risk officer. The group created an IT Risk Appetite Statement, which set the tone for managing risk and established clear definitions that allow the entire company to operate under the same risk model.

The KRI program fits into the overall IT Risk Management framework and allows IT reporting to roll up into the overall Voya Risk Management framework using common taxonomy such as Risk Domains and Categories. The overall picture of IT has become better-rounded with senior management having consistent visibility into both operational efficiency, as well as the active management of IT Risk.