crs company overview -feb 6 2017

Security and Compliance Practice

Finance and Insurance: Mass Mutual Finance and Insurance (GRC ( Governance ,Risk Management and Compliance, Enterprise Security,

Risk and Compliance)

Technology: Cisco Systems (ISO 27001 Security, Cloud Security, SaaS Security)

Manufacturing: Toyota Motor ( Enterprise IT Security and Compliance)

Finance and Mortgages: Fannie Mae ( Risk Management & Enterprise Security Solutions)

Finance and HealthCare: Transunion ( PCI DSS Security and Compliance )

Retail Sector: TJMAXX / TJX (Security Breach and Remediation & PCI DSS Security)

Travel: Carlson Wagonlit Travels (Enterprise Security and PCI DSS Security and Compliance )

Health Care System: Siemens HealthCare Systems (PCI DSS Security, SAP System Security & Tokenization)

Our Core Team Has Implemented Security Projects in Fortune 500 Companies

Cyber Radar Systems

Health Care System: Blue Cross Blue Shield ( Web Application, PCI DSS Security & HIPAA Security )

Banking Sector: World Bank ( PeopleSoft Security and HIPAA Security)

Banking Sector: Wells Fargo / Wachovia Bank ( PCI DSS, Enterprise Security and Web Application Security)

Finance and Healthcare: Principal Finance, Bank and HealthCare (PCI DSS,HIPAA, IBM Z O/S Security and Enterprise Risk Management)

IT Security: EMC / RSA Security (Security Breach and Remediation & Enterprise Security Risk)

Legal and Storage Service: Iron Mountain/Stratify ( SAS/70 and ISO 27001 and PCI DSS Security )

Our Core Team Has Implemented Security Projects in Fortune 500 Companies

Cyber Radar Systems

Security Breaches

Security Breach

Average cost per record - $197

Average cost per security breach - $23 Million

10% of companies experience security breach within a year

Cost of Security Breaches

TJX Security Breach

Number of Credit Cards Stolen:

45 Million Cards

Cost per record:$197

Total Cost: ~ 9 Billion Dollars

So far TJX spent ~5 Billion Dollars

Avoid security breaches or security fraud

Prevent hackers from attacking systems and networks

Protect brand image

Cyber Radar Systems Security Products, Security & Compliance Services

Secure company confidential, personal and customer sensitive data

Comply with HIPAA or ISO 27001 Security or PCI DSS -credit card data security compliance

Conduct enterprise wide risk assessment to identify security risk and issues etc.,

Security Products, Security & Compliance Services

• What Is Confidential Data?– Customers Data:

• Social Security Numbers, Credit Card , • Bank Account Numbers etc.

– Financial Data: • Sales Revenue, Profit or Loss etc.,

– Manufacturing Data: • Intellectual Property, Patents, etc.,

– Government Data: • Classified/ Confidential Documents

Is Company Data Secure?

The Industry Security Problem

• Any company using IT systems can be hacked

• We hear about it almost everyday about security breaches on enterprises, e.g.,

Financial Companies, Retail Stores, Manufacturing Companies, Government etc., Insurance

CIA Triad The Three Principles of Information Security

C Confidentiality

I Integrity

Information Security

AAvailability

Confidentiality of Data – No unauthorized access

Integrity of Data – No unauthorized modification

Availability of Systems – 99.999 %

What to Protect?CIA Triad - The Three Principles of Information Security

1.Security Products

2.Security Services

3.Audit and Compliance

Services5.Security Training

4.Staffing and

Recruitment

Security Products, Security & Compliance Services

Security Products

1. Data Loss Prevention –DLP

• End Point Protection DLP (Available) • Email DLP ( In Progress) • Network DLP ( In Progress) • Storage DLP ( In Progress) • Mobile DLP ( In Progress)

• Competitors: Symatec Vontu, WebSense , Mcafee , EMC etc.,

Security Products ( In the Pipeline)

2. SIEM ( Security Information and Event Management)

Phase I: Log monitoring of UNIX or Linux SystemsPhase II : Log monitoring of Windows Systems etc.

Competitors: IBM , Arc Sight , Splunk etc.,

Security Products ( In the Pipeline & Future)

3. IoT ( Internet of Things) ( Automobile Security)

4. Identity and Access Management ( Future)

5. Mobile Security ( Future)

Security Consulting Services

Security Gap Assessment

Security Configuration Standards

Encryption Key Management

Identity and Access Management

Security Architecture Review

Enterprise Security Metrics

Security Threat Controlling Strategies

Security Testing Services

Vulnerability Scan & Management

Penetration Testing ( Ethical Hacker Testing)

Application Security Testing

Security Monitoring Services

Security Incident Event Management (SIEM)

Digital Forensics

Data Loss Prevention (DLP)

Audit and Compliance ServicesGap Assessments

PCI DSS Security Compliance

SOX IT Audit

HIPAA Compliance

Third Party Vendor Risk Assessments

ISO 27001 Security Audit

SAS /70 , SOC 1 , SOC 3 and SOC 3 Audits

Due Diligence ( Merger and Acquisitions)

Remediation

SAAS Models

Application Security

Ethical Hacker Testing

Security Testing

SOC Monitoring

SOC (Security Operation Center) (Future) Security Monitoring (ArcSight, Splunk , IBM QRadar , Envision etc., ) ( 24*7)

Vulnerability Scan and Security Testing

Penetration / Ethical Hacker Testing ( Black, White and Grey Testing)

Application Security Testing (Static Code Analysis, Dynamic Code Testing)

SAAS Models ( Security Products)

On Shore / Off Shore Model

Cyber Radar Systems

Provide security solutions

Provide resources to implement the

solutions

Conduct compliance and audits

Vulnerability Management Training

Security Architecture, Design and Solutions

PCI DSS Compliance

Security Awareness Training

Security Awareness

Security Solutions

PCI DSS Compliance

Vulnerability Testing

Ethical Hacker

Security Tools

Certified Ethical Hacker ( CEH) Training Course

All security tools (Ethical, Pen testing, vulnerability management, WAF, DLP, SIEM tool etc.)

Training ( Security and Compliance)

Cyber Radar Systems

Staffing and Recruitment

Get the requirements for any kinds of IT and IT Security jobs.

Place the candidates to our clients

• Security Gap Assessment

• Vulnerability Scan

• Penetration Testing

• Application Security Testing

• Log Monitoring (SIEM (Security Incident Event Management))

• DLP (Data Loss Prevention)

Core Security & Compliance Practice

Cyber Radar Systems


Provide resources to implement the

solutions


Use Cases and Key Projects

• TJMAXX (After Security Breach)

• PCI DSS Compliance Certification

• Audit and Legal Expenses

• Total Spend : $5 B so far


• TransUnion

• Project: PCI DSS Compliance Security • Program Management • Project Cost : $24 Million Dollars • Project Duration: 1 ½ - 2 Years• Project Managers : 7• Total Resources: 45


• EMC /RSA( After the security breach of RSA two factor authentication tokens)

• Project Name: Enterprise Risk Assessment

• Cost of the Project : 12 Million Dollars

Security Gap Assessment(identifying gaps or security issues)

Current State Desired StateGaps or Risks or Security Issues

Security Gap /Risk Assessment

Security Gap AssessmentConduct a “Gap Analysis” to identify security issues or gaps.

• Security Gap Assessment Process

Conduct security gap assessment

Identify the security issues

Recommend security solutions

Provide resources to implement the solutions

Conduct compliance and security audits

Security GAP AssessmentSecurity Gap /Risk Assessment

• Black Box• Grey Box• White Box

• Static Code Analysis ( Static Code Review)• Dynamic testing ( Web applications ( Black Box testing) or

Penetration testing• Manual Code Review

Application Security Testing Categories

Application Security Testing Methods

Application Security Assessment

Cyber Radar Systems

Application Security Testing Process

Run application security scan

Review the results

Identify the false positives

Provide practical recommendations

Work with programmers to mitigate the issues

Re-run the scan to validate the issues

Penetration Testing Services

10

Establish Goal

Information Gathering

Vulnerability Analysis

Penetrate the System

Risk Assessment

Reports and Recommendations

Vendor on

Boarding Process

Third Party /Fourth Party Vendor Risk

Assessment

Contract and Legal Agreement

Security incidents due to third party and

fourth party vendor is 28%

Third Party Vendor Security Risk Assessment

Cyber Radar Systems

Registration of VendorsShort List the Vendors

Conduct third party risk assessment

Identify the gaps

Provide practical recommendation

Work with the vendor to mitigate the issues

Re-test and validate the implemented controls

Third Party Vendor Security Risk Assessment

Identify the scope

Conduct gap assessment

Identify the areas of non-compliance

Recommend policies and controls to meet the compliance requirements

Create ISMS (Information Security Management Systems) manual

Work with the team to implement to security policies and controls

Test & validate the implemented requirements

ISO 27001 Security Assessment

Summer Cyber-Security Workshop, Lubbock, July 2014

1. DISCOVERY

2. ASSET PRIORITISATION

3. ASSESSMENT (Scanning)

4. REPORTING

5. REMEDIATION

6. VERIFICATION

Vulnerability Management

Cyber Radar Systems

Security Configuration Standard Service

Security Configuration Standards

1. System Metrics & Conformance

5.Perimeter Metrics & Conformance

4.Network Metrics & Conformance

3. Endpoint Metrics & Conformance

2. Application Metrics & Conformance

Enterprise Security Metrics & ConformanceExecutive Dash Board Report

Security

Strategies

Identify Security Threat Metrics

Example : Blocked and Allowed Security Threats.

• Recommend Security Threat Controlling Strategies

Example: Evaluate and recommend the signatures that need to be blocked instead of allowed.

Security Threat Controlling Strategies

Cyber Radar Systems

Log Monitoring Service

Event Correlation ( Identify key security issues)

Alerts and Escalation

Incident Response

SOC Monitoring Services ( On Shore /Off Shore)

Cyber Radar Systems

Security Architecture & Security Requirements

Compliance /Legal Requirement

Industry Best Practices

Security Design and Architecture Solutions

Cyber Radar Systems

•Data at Rest •Data in Use•Data in Transit

Encryption

•Symmetric key Symmetric Encryption

•Public key •Private key

Asymmetric Encryption

(PKI)

Encryption, Cryptography and Key Management Service

Cyber Radar Systems

Enterprise Information Security

Policy (EISP)

Issue-Specific Security Policy

(ISSP)

Systems-Specific Policy (SysSP)

Information Security Policies, Standards and Practices

Cyber Radar Systems

Create and Implement Security Policies ,

Standards and Processes

1. Acceptable Use Policies

2. IT Security Risk Management Policy

3. Third Party Connectivity Management Policy

4. Information Classification Policy

5. Workforce Security Responsibilities Policy

6. Security Awareness and Training Policy

7. Physical and Environmental Controls Policy

8. Wireless Policy

9. Removable Media Policy

10. Remote Access Policy

11. Backup and Recovery Policy

12. Anti-Virus Policy

13. Change Management Policy

14. Information Handling Policy

15. Firewall/Router Policy

16. Computer Modem/Facsimile Use Policy

17. Monitoring and File Integrity Policy

18. Mobile Computing Policy

19. Desktop Computer Security Policy

20. Access Control and Password Management Policy

21. Secure Development and Support Policy

22. Software Installation/Download Policy

23. Encryption and Key Management Policy

24. Patch Management Policy

25. Vulnerability Management Policy

26. Incident Response Policy

27. Disaster Recovery Policy

28. Business Continuity Policy

29. Service Provider Policy

30. Data Retention and Disposal Policy

31. Compliance Audit Policy

Creation and Implementation of Security Policies ( 31 Policies)

Cyber Radar Systems

Create and Implement Security Policies ,

Standards and Processes

Data Loss Prevention (DLP)

Log Monitoring and Event Correlation Tools

IoT ( Automobile Security )

Security Products/Tools Development

Cyber Radar Systems

Monitoring of System ( Event Correlation Tools)

Data Loss Prevention /Content Management Filter

Vulnerability Testing ( Qualys , Rapid7 etc.,)

Penetration Testing /Ethical Hacking

File Integrity Monitoring

DDoS

End Point Protection (Fire Eye)

Design and Implementation of Security Tools

Cyber Radar Systems

Thanks

Initial Scoping

Information Gathering

Security Assessment

Result Analysis

Reporting

Once the initial order has been received, the next stage is to carry out the initial

scoping. At this stage the application access information is provided by the customer

along with any authentication credentials that are required to perform the security

assessment.

In the passive information gathering stage we examines the application's general

and business logic. Business logic flaws in the application can also lead to serious

security issues. At the end of this phase, we should understand all the access points (gates) of the application (e.g.

HTTP headers, parameters, and cookies)

In this phase we perform the assessment of the application using

manual and automated process, depending upon the information

gathered.

Once all of the assessment data has been collected, the next phase is to analyze the data and create two reports for the customer. The report

contain the details of the vulnerability and screenshot

for POC.

In this phase we analysis the result to verify the false positive and false negative to make sure that the application is tested properly.

Application Security Assessment

• Backup

Application Security testing

Dynamic Application

Testing

Static Code Analysis

Manual testingAutomated

Testing

Tools used for the testing

Fortify, Checkmarx,

Veracode

Tool used : Burp Suite

Tool used: Acunetix ,

Appscan , Burp Suite pro

Types of Application Security Testings

Testing MethodsBlack BoxWhite BoxGrey Box


• Wells Fargo /Wachovia

Provide security

solutions

Provide resources

to implement

the solutions


C a t a l o g u e o f S e c u r i t y S e r v i c e s

PCI DSS Security Compliance, Audit, Risk and GovernanceIT Audit Third Party Vendor Risk AssessmentsDue Diligence (Merger and Acquisitions)Disaster Recovery & Business Continuity GLBA Audit Threat Assessment ISO 27001 Security Audit SAS /70 , SOC 1 , SOC 3 and SOC 3 AuditsSOX IT Audit

Compliance, Audit, Risk and Governance

Security Risk or Gap Assessment Vulnerability and Patch Management Penetration TestingWeb Application Security Cloud SecuritySecurity Configuration Standards ( System Hardening Standards)SIEM – Security Incident and Event Management Security Incident Response Plan Forensic investigation Process

Security Consulting

Access Control Security Policies Standards Processes and ToolsSecurity Architecture and SolutionsSecurity Design & Integration Identity & Access Management Encryption and Key ManagementFile Integrity MonitoringData Loss PreventionDDOS Mitigation

Other Areas

Security Products Security Services Audit and Compliance Services

Security Products, Services & Compliance Services

Cyber Radar Systems


Provide resources to implement the solutions


Training (Security and Compliance)

System Conformance• Encryption of Databases• Code-scanning of MM

developed Applications• Security Gateway

Coverage for Web Services

Application Conformance• Encryption of Databases• Code-scanning of MM



Perimeter Conformance

• Perimeter Firewall - Critical and High Threats Block Percentage

• Malware Scanning of Email Attachments

• (D)DoS Use Case Coverage

Endpoint Conformance

• Network Access Control (NAC) Coverage

• Mobile-Devices Monitoring Coverage

• End-point Encryption (Laptops and Desktops)

Application Conformance• Encryption of Databases• Code-scanning of MM



Enterprise Security Metrics

• Backup