The CSO50recognizes 50 security projects, taken on by 45 organizations, that demonstrate outstanding thought leadership and business value. These are their stories.
[ HIGHLIGHTED CSO50 AWARDEES: Century Health’s security rearchitecture staves off phishing scam | UN development program provides cybersecurity assistance ]
ADP
Integrated Application Security Testing (IAST)
ADP was looking for a way to discover vulnerabilities in web applications much earlier in its software delivery lifecycle. Many times significant architectural flaws are discovered at the last minute because penetration testing is the last thing to happen before a project is released. This created significant headaches and delays for the business.
To increase the speed of its software development release cycles and reduce application vulnerabilities, ADP added automated application security testing technology to its quality assurance testing processes. This technology provides continual analysis of application code running Java or .NET and finds vulnerabilities in real-time.
Development teams are now able to perform minor fixes and patch releases without direct interaction from the security testing team. This decreases the backlog of requested security assessments and reduces the lead time needed to test major production releases.
The project initially covered the top 10 percent of its application base and is expanding to 25 percent within the first year of service.
AECOM
AECOM/URS Integration
When AECOM acquired URS Corp. in October 2014, the company doubled in size and created the largest integration in its industry's history. AECOM, a global engineering, design and construction company, now consists of 100,000 employees in 150 countries. The acquisition meant consolidating six separate divisional information security functions, which had previously operated individually, into one global enterprise team with no divisional, business unit or regional boundaries.
The integration of AECOM and URS meant a new organizational structure, new teams, standing up a new Global SOC, consolidated technology and toolsets, and new ways of working in a globally distributed virtual environment.
A consolidated enterprise security team has helped it align with and gain support from other functional groups within the organization such as Legal, ERM, resilience groups, ethics and compliance and communications. It has also reduced phishing fail rate from 29 percent to 7 percent and successfully addressed 3,000 security incidents in six months.
Aetna
External Security Portal
As cyber security threats continue to rise, more regulators and customers want assurance that health records are protected. Each month, Aetna would receive about 500 requests from customers and examiners asking for information about Aetna’s security program. Requests would come in through multiple channels, requiring internal security staff to gather documents and prepare the appropriate responses. The challenge was to quickly and easily disseminate this information.
Aetna developed an external security portal that provides a secure and centralized repository to Aetna’s IT security practices. With this new tool, Aetna can share pertinent information that helps customers evaluate the maturity of its security controls, and clients and assessors can access the information they need. Since the program launched in 2014, the number of external and internal users per month continues to rise, and Aetna has seen a significant reduction of individual requests.
Aflac
Log Management to Security Intelligence
In early 2014, what began as a process for Aflac to expand its log management platform ultimately had another welcome benefit. It expanded Aflac’s ability to assess and correlate data, and track events for investigations. It also ensured compliance with the Payment Card Industry and any regulation requiring log archival and analysis capabilities.
Aflac’s security team worked with its IT partners to identify and implement a new Security Information and Event Management (SIEM) platform. The SIEM enabled near real-time notification and response to events, which improved the response times to business units.
The project was first implemented in early 2014 and began consolidating logs from 300 log sources. Throughout 2014, more than 9,000 logs were added. A balance was achieved in the amount of data retained and the ability to query efficiently. Most queries can now be performed in minutes versus days.
Aflac
Enhanced Vulnerability Scanning
Aflac had vulnerability scanning capabilities in place in October 2014, but it wanted more. The aim was to evolve vulnerability scanning from a technical platform capability to an integrated service and process operation.
Aflac migrated its vulnerability scanning from an appliance with limited capacity to a managed service focused on standards compliance, full-scale asset discovery and comprehensive network scanning. Managing vulnerability scanning as a service instead of an appliance has allowed Aflac to reallocate internal resources to focus on remediation rather than administration of a scanning tool.
Output from the scanning tool is fed directly into Aflac’s governance and compliance tracking system where items are tracked not only as technical risks, but also as issues of security policy exception and enforcement. Aflac has been able to remediate 100 percent of the vulnerabilities identified, a 10-fold increasing since the beginning of 2015.
Amity Education Group
National Cyber Alert System
Cyber threats are one of the biggest issues facing India today. While nearly every organization has deployed some security solution to safeguard their networks, very few are doing analysis of attacks or malware to understand who is targeting them, why or how. The private, non-profit Amity Education Group wanted to create and provide this information on a national level.
The Amity cyber security team developed an “Advanced Threat Protection CCFIS Sensor,” a malware and targeted attack-capturing appliance that deflects the attack and captures malware and targeted attacks. The appliance performs log analysis and reverse engineering of the captured malware, and then provides an intelligence report with details such as the attacker’s IP, domain, date and time, malicious file extensions, code language and encryption level. The information can be used to further implement policies to strengthen the security of the network.
The sensors have been deployed at 11 National and International Amity locations so far.
Amkor Technology
Governance, Risk and Compliance -- Defense scores points and Offense protects against risk
Amkor Technology’s internal and external audits used to be time-consuming and resource intensive, with multiple repositories and no single source of truth. While the GRC environment had been in place since the first SAP implementation, the tool needed a facelift. With the new implementation of SAP GRC latest version, the tool has morphed into a mature product, including additional features and functionalities that impact the bottom line.
The scope of its GRC project included the full SAP landscape, the ERP central component, supplier relationship management, advanced planning and optimization, business intelligence, business objects BI, and process integration.
Automated user provisioning and audit review reduced headcount requirements and saved $150,000. Amkor also implemented password self-service for users to reset passwords via a two-factor authentication process via email and Active Directory. Manual resets have been reduced by 80 percent, saving $30,000. Customization of rule sets has enabled Amkor to retire a COTS product, saving the company $35,000 annually.
Atlantic Health System
Situational Awareness with AHS SitStat
When it comes to serious security incidents, Atlantic Health System has developed the mantra that “one is too many.” To keep safe its 9.5 million square feet of facilities and 14,000 employees, AHS has adapted the New York Police Department’s COMSTAT solution for its healthcare system.
With AHS SitStat, all security, emergency management, fire and safety calls for service are entered into the CAD system, which allows AHS to track the use of resources and incidents impacting our sites. Security officers complete electronic incident reports detailing all events occurring during an incident. All sites can enter, track, trend and analyze this data. Data is captured at the point of service by the site security command centers and responding officers directly entering it electronically into CAD/RMS. Critical incidents are immediately communicated in a briefing report for all sites.
Statistics and anecdotal evidence has shown this to be effective in sharing intelligence, preventing and mitigating adverse events and promoting an efficient use of limited resources.
Blue Cross Blue Shield of Michigan
Supplier Risk Management Program
Many high-profile data breaches have been traced to weaknesses in third-party vendor or contractor security. Many suppliers to BCBSM and Blue Care Network of Michigan do not target the healthcare industry as a primary market, so they were not familiar with HIPAA and other regulatory agency requirements.
The Supplier Risk Management program gauges each supplier’s capability to protect BCBSM/BCN’s sensitive information exchanged and the computing assets used.
Through a SharePoint system, a common repository of information was made available to vendor assessment specialists, risk analysts, business relationship managers and purchasing individuals. This data repository was used to collect and share questionnaire results and supporting documentation, identify risks, store risk resolution documentation and risk deposition.
The program tracks remediation plans and helps execute on-site visits or desktop assessments to ensure security measures are implemented. It also helps BCBSM monitor, reassess and decommissioning suppliers per their contractual agreement, and to employ a quantitative, risk-based approach to supplier ranking and reporting metrics.
Boston University
Enterprisewide Multi-factor Authentication
In January 2014, several senior faculty members at Boston University checked their bank accounts and found that their paycheck had not been deposited. They reported the issue and investigation revealed that this was a virtual, but very real heist. Their direct deposit information had been changed and their money had been re-routed into other peoples’ bank accounts. The real problem was compromised credentials via phishing attack that began two months earlier.
The solution was multi-factor authentication. BU engaged top talent to manage, architect, build and deploy the solution. The team selected a flexible approach that allowed them to solve every use case thrown at them. A proof of concept was completed in three days and was ready for production deployment by the end of one month. Several more months of communication later, the technology was up and running. About 1,168 accounts were added during the opt-in period. Today, BU protects 15,000 accounts with MFA.