Distributed Controls: Managing Security differently Across 15 Organizations
Executive Sponsor: Jim Routh,Chief Security Officer, VP of Global Security, Aetna
Project Team: Mignona Cote - SR Director, Information Security, CISO PayFlex; CISO Phoenix Data Center Services, Jeannette Rosario, Directory, Global Security, Karen Barlow, Program Business Analyst, Glenda Lopez, Sr. Information Security Engineer
As daunting as securing a Fortune 50 company, adding fourteen independently operated affiliates (subsidiaries) to the mix, stretches leadership and innovation. Resiliency to market demands, continuous change in threats and fourteen completely different companies ranging from financial services, international markets and consumer healthcare forces the Global Security Officer to manage fourteen security programs uniquely while leveraging core Aetna techniques and solutions. At Aetna, a model was developed to identify risks, measure maturity and implement solutions maintaining the unique DNA of each company while assuring the security as they operate within the boutique styles required for competitive advantage and speed to market.
AT&T Threat Manager with Log Analysis
Executive Sponsor: Noelle Bloomfield, Senior Public Relations Manager, AT&T
Project Team: Jason Porter – Vice President, Security Solutions, Alex Cherones – Director, Security Solutions, John Chi – Lead Product Marketing Manager, Security Solutions, Justin Knapp – Lead Product Marketing Manager, Security Solutions, Tina Deljavan – Lead Product Marketing Manager, Security Solutions, Jason Miller – Lead Product Marketing Manager, Security Solutions, Trevin Tipler – Product Marketing Manager, Security Solutions, Scott Corbin – Lead Product Marketing Manager, Security Solutions, Matt Dugan – Director, Data Insights, Big Data, Ronen Kahana – Principal, System Engineer, Big Data, Johan Muedsam – Principal, Big Data Software Systems Engineer, Ellie Ordway-West – Professional Data Scientist, Big Data, Seretha Stern – Principal, Business Management, Big Data, Austin Hensley – Principal, Big Data Software Engineer, Jay Whitehurst – Director, AT&T Technology Development, Karin Lesica – Senior Technology Solutions Manager, Catherine Wood – Principal, Product Development Engineer, Jhopi Thornton – Professional Technology Project Management, Avi Gefen – Director, Research Technology Management, Erez Korn – Principal, Application Design, Lior Horn – Lead Project Manager, Data/P, Roi Levi – Senior Specialist, Project Management, Data/IP
AT&T Threat Manager with Log Analysis is equipped with more than a suite of security services – it is fueled by the security foundation built from the people, processes, products and tools that form AT&T’s security backbone. As the brains behind their security services, Threat Manager with Log Analysis provides unparalleled visibility into the data patterns and threat activity across AT&T’s network, helping businesses customize their security to meet their needs. It uses multitudes of unique threat signature data streams, analytics and intelligence to help detect known and potential threats. And, Threat Manager with Log Analysis is constantly learning to adapt to the latest global security issues.
Security Operations – Security Incident Response Management
Executive Sponsor: Chris Merkel, Director, Information Security, Brunswick Corporation
Project Team: Steven Eisen (Security Analyst), Dan Matasek (Director, Infrastructure Operations)
Brunswick was not able to quickly identify and respond to security threats, the resolution delay and lack of automated remediation was costing the company money. They had a challenge around risk prioritization and efficiency of resolution for alerts and the automation remediation. Brunswick needed a solution with the ability to aggregate, prioritize, and route any security risks to the appropriate resource for fast remediation. Their Security team wanted to solve this problem by leveraging existing technologies and helping to reduce overall costs for the business.
Cook County Cyber Threat Intelligence Grid (CCCTIG)
Executive Sponsor: Ricardo Lafosse, CISO, Cook County Department of Homeland Security and Emergency Management
Project Team: Katie Kolon – Executive Assistant, Tom Vari – Information Security Program Manager, Yilmaz Bal – Information Security Manager Risk and Compliance
The Cook County Department of Homeland Security and Emergency Management, Information Security Office partnered with private sector organization Anomali in launching the Cook County Cyber Threat Intelligence Grid (CCCTIG). The CCCTIG is a collaborative project designed to strengthen the regions cybersecurity landscape through shared intelligence to effectively combat cyber-attacks. All CCCTIG participating municipalities have access to the secure platform which shares a wealth of cyber-threat intelligence along which includes bad actors, malicious campaigns and security incidents. CCCTIG members can publish threat intelligence to a circle of trust through a variety of formats via the platform.
The Enterprise Holdings Information Security Prioritization Matrix
Executive Sponsor: Josh Knopp, Vice President, Enterprise Holdings Inc.
Project Team: Kevin McQuade, Department Manager, Phil Swiderski, Department Manager, Melissa Arter, Manager, Christopher Byrd, Lead Security Architect
The Enterprise Holdings Information Security Prioritization Matrix project provides a comprehensive, approachable study of principles, technology, and process maturity throughout the enterprise to enable governance of various security functions vying for focus. Combining elements of control maturity, best practice, industry standards, and risk appetite served as a measurement of their information security posture. The resulting data was consolidated into an executive summary, creating an immediate view into performance, business value, and level of effort enabling prioritization around technologies or strategies to receive focus. The Information Security Prioritization Matrix pushes information security to world-class maturity.
[A.M.O.S.] Asset Management on Steroids
Executive Sponsor: Scott Pettigrew, VP, Chief Security Officer, HMS
Project Team: Scot Miller, Vice President, CISO, Kory Anderson, Manager, Security Operations, Sidd Kunche, Sr. IT Project Manager
Identity is the foundation of security. Without identifying the assets in their institution, leaders are forced to make generalized assumptions to apply security as a blanket instead of using a risk-based approach. An oversimplified view of asset management establishes a CMDB (Configuration Management Database), but AMOS (Asset Management on Steroids) goes beyond this by ensuring consistency of information for risk management, business operations reporting, and procurement services. This is not a “one-and-done” project. AMOS is a program that forces groups to document their processes, eliminate information silos, and establish standards. Ultimately, HMS will lower risk, save money, and meet compliance objectives.
[P.A.M.] Privileged Access Management
Executive Sponsor: Scott Pettigrew, VP, Chief Security Officer, HMS
Project Team: Scot Miller, Vice President, CISO, Michael Madero, Manager, Security Architecture
The objective of the HMS Privileged Access Management project is to gain insight and governance around the use of privileged accounts in the environment. While most may consider a privileged account, your basic “Windows Administrator” account, or UNIX-type “Root” account, there are many other accounts that act in a privileged capacity that are ignored. HMS’s achievement provides an automated request/provisioning mechanism for “firecall” ID/Passwords for troubleshooting, with appropriate oversight and auditing, as well as reducing credential exposures in application code.
The Multi-Factor Authentication Project
Executive Sponsor: Helen Patton, Chief Security Information officer, The Ohio State University/Office of the CIO - Enterprise Security
Project Team: Amber Buening, Senior Project Manager, Rich Nagle, Project Service Director/Associate Director – Identity & Access Management, Todd Piche, Project Technical Lead, BuckeyePass Service Owner
The Multi-Factor Authentication Project was a multi-year effort which implemented a new solution and service that allows for every system and application (if technically capable) the opportunity to implement multi-factor authentication at The Ohio State University. Through delivery of a standard service and solution to all university employees, within the 100 independent units at the university, the project helped protect institutional data, mitigate identity-related risk and protect against unauthorized access.
Identity and Access Governance Program
Executive Sponsor: Steve Jensen, Chief Information Security Officer, Scottrade, Inc.
Project Team: Jennifer Segura – AVP Identity and Access (IAG) Governance, Jason Mayer – Privileged Access Management (PAM) Supervisor, Brittany Pipes – IAG Supervisor, Jason Ragan – Sr. PAM Analyst, Brajesh Moni – Sr. PAM Analyst, Lucinda Cook – PAM Analyst L3, Angela Wheeler – IAG Analyst L3, Stephany Crocker –IAG Analyst L3, Kolby Tackett – Enterprise Applications Analyst, James Hill – Sr. IAM Analyst, Kevin Zhou – Sr. Enterprise Applications Developer, Lynn Nienkemper – Sr. Enterprise Applications Analyst, Debbie Denny – Sr. Business Systems Analyst, Marlissa Brawner – QA Engineer, Greg Teakert – Sr. Application Support Engineer, Ryan Drafall – Sr. Windows Support Engineer, Joey Ringuette – Windows Support Analyst
In 2016, Scottrade notified customers of a security breach that had occurred years prior but impacted its entire client base. As a result of that breach, a post-mortem discovered that Scottrade needed to enhance its controls around identities. Scottrade built from the ground up a comprehensive Identity and Access Governance program to proactively address internal threats. This consisted of a series of implementations to establish an identity warehouse, develop a centralized lifecycle management function, define toxic combinations of access and perform multiple cycles of access certifications for approximately 120 applications. Additionally, Scottrade installed a solution for privileged/shared account management. This included comprehensively discovering and managing privileged accounts including the network, server, endpoint, application and database levels. This allowed them to enforce policies for usage, record and monitor account activities and react to potential threats.
NIST Cybersecurity Framework Implementation
Executive Sponsor: Steve Jensen, Chief Information Security Officer, Scottrade, Inc.
Project Team: Jennifer Segura – AVP Identity and Access (IAG) Governance, Gina Stucke – Information Security Manager, Paul Nickelson – AVP, Threat and Vulnerability Management, Lara Knebel (Lar-a) – Business Continuity Manager, The entire Information Security team in support of implementing all of the technologies associated with this project.
In March 2015, Scottrade hired its first CISO who upon joining the firm, his first initiative was to structure the Cybersecurity program to be based on the NIST Cybersecurity Framework. As these efforts were ongoing, Scottrade was informed of a data breach, which had occurred in 2013/2014. In response, they resolved some immediate vulnerabilities and continued implementing planned enhancements based on NIST guidance. Controls included APT, DLP (all egress points), Data Tamper, IAG establishment, establishment of a comprehensive Cyber breach response plan, comprehensive metric analysis, updated program documentation, and a revamped the IS Policy.
Next Generation Vulnerability Management (NGVM)
Executive Sponsor: Jasper Ossentjuk, SVP/CISO, TransUnion
Project Team: Joe Silva, VP, Head of Cyber Threat and Intelligence, Matt Wolf, Mgr, Cyber Threat and Intelligence
TransUnion implemented Next Generation Vulnerability Management (NGVM) in order to correlate vulnerability scan data, real-time threat intelligence and zero-day data into one easy to understand dashboard display. NGVM prioritizes their most critical vulnerabilities in an easy to navigate, on demand SaaS based dashboard replacing inefficient and difficult to maintain, static Excel based pivot tables. The on-demand, real-time display of vulnerability scan data enables teams to optimize patching capacity. TransUnion is patching smarter, not just faster.
The Process Alignment and Risk Management Enhancements (PARE) Project
Executive Sponsor: Jason Witty, CISO, U.S. Bancorp
Project Team: Marcia Peters – Information Security Governance, Risk & Compliance Executive, Arisbe Gardner (A-reese) –Senior Manager of Information Security, Adam Maslow – Information Security Director, Anna Pedersen – Senior Manager of Information Security, Michele Kaplan Clinard – Senior Manager of Information Security, Thoralf Symreng – Senior Manager of Information Security, John Kuisle – Senior Manager of Information Security, Rebecca Benson – Manager of Information Security, Dan Bohen – Senior Risk, Compliance & Audit Manager, Steve Casper – Risk, Compliance and Audit Manager, Mike Murray – Senior Risk, Compliance & Audit Manager, Lue Vue - Risk, Compliance and Audit Consultant, Kathleen Palmer - Risk, Compliance and Audit Consultant, Derek Tracey - Risk, Compliance and Audit Consultant, Molly Cook – Risk, Compliance and Audit Manager, Brian Rossmann – Senior Risk, Compliance & Audit Manager, Janet Lerch - Chief Continuity/Technology Risk Executive, Kathy Aultom – Information Security Risk & Compliance Analyst, Tammi Burr- Senior Information Security Specialist, Alicia Marshal (A-lee-see-a) – Information Security Risk &Compliance Analyst, Maureen Meyer – Senior Manager of Information Security, Aaron Neville – Information Security Risk &Compliance Analyst, Jan Morey – Manager of Information Security, Jonathan Kitchin – Manager of Information Security, Alex Duzan – Manager of Information Security
US Bank take steps every day to be the most trusted choice in their industry, and that commitment extends to their information security efforts. The Process Alignment and Risk Management Enhancements (PARE) project sought to mature the Information Security program and create a more robust control set. The project started with a pilot of high risk processes in which US Bank identified the need to be more granular at the process level and the need to work hand in hand with the oversight teams. The objective of the PARE project was to document information security processes, risks, and controls and align to the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF). NIST CSF was used in order to define program completeness.